Fraud via banking apps

[Early Riser]

BBC are carrying a report of a woman whose account was emptied after her phone and wallet were stolen (https://www.bbc.com/news/uk-england-london-62767659.)

She believes her PIN was accessed via the banking app on her phone. Is this plausible and do Irish banks carry pins in their banking apps, as Santander apparently do? They eventually apologised and refunded her:

"She said while she was not certain how the thieves accessed her PIN, she believes they accessed it via her personal banking app. Santander, like some other high street banks, carry PINs in their apps behind security details."

 

[odyssey06]

Yes, Banking 365 has this but you have to re-validate to access it.

 

[NoRegretsCoyote]

When I read these stories usually use Occam's Razor. What's more plausible: a sophisticated hack by expert cryptographers or luck by the thief and/or ineptitude by the customer. In this case most likely the thieves spied her inputting her PIN over her shoulder, or she had it written down in her bag, or she had a PIN which was something common like her date and month of birth which they figured out from her ID.


An RTÉ researcher had his bank account emptied last week, see article here. The article focusses on the fraudsters calling up to get him to insert his card into the reader and provide the code. This was to transfer a five-figure sum from his current account to the fraudsters' accounts.

What is completely glossed over is that this was the final step. The fraudsters had been moving funds from his deposit account to his current account for a few days previously. For this the fraudsters didn't need the card reader but must have already had his customer number, PIN, and telephone number. Again, what is more plausible: that someone hacked into the bank's systems or the customer divulged these details accidentally?

Banks' systems are not infallible but they spend hundreds of millions on security systems that are by now close to impossible to hack by brute force or luck. Most fraud now relies on the unwitting participation of the customer. There is a lot of shame around this. I had a colleague tell me recently about how she fell victim to a really basic and obvious phishing fraud involving someone selling something on facebook, and was four figures down. She then swore to me to keep it secret as she felt so stupid.

I've rarely read one of these stories where I don't feel that the customer is holding back something pretty obvious with regard to their own participation.

 

[Ciru75]

When I read these stories usually use Occam's Razor. What's more plausible: a sophisticated hack by expert cryptographers or luck by the thief and/or ineptitude by the customer. In this case most likely the thieves spied her inputting her PIN over her shoulder, or she had it written down in her bag, or she had a PIN which was something common like her date and month of birth which they figured out from her ID.


An RTÉ researcher had his bank account emptied last week, see article here. The article focusses on the fraudsters calling up to get him to insert his card into the reader and provide the code. This was to transfer a five-figure sum from his current account to the fraudsters' accounts.

What is completely glossed over is that this was the final step. The fraudsters had been moving funds from his deposit account to his current account for a few days previously. For this the fraudsters didn't need the card reader but must have already had his customer number, PIN, and telephone number. Again, what is more plausible: that someone hacked into the bank's systems or the customer divulged these details accidentally?

Banks' systems are not infallible but they spend hundreds of millions on security systems that are by now close to impossible to hack by brute force or luck. Most fraud now relies on the unwitting participation of the customer. There is a lot of shame around this. I had a colleague tell me recently about how she fell victim to a really basic and obvious phishing fraud involving someone selling something on facebook, and was four figures down. She then swore to me to keep it secret as she felt so stupid.

I've rarely read one of these stories where I don't feel that the customer is holding back something pretty obvious with regard to their own participation.

Agreed.

From reading the twitter thread linked in the journal article, I would expect that what happened is that the RTE guy clicked the link in the text and filled out his online banking details in the scammers' website, thinking it was AIB. They then had access to his online banking but needed the code from the card reader to transfer money to their bank account.

And how could the thieves in the gym case in the OP get into the bank app on her phone without having her app password?

 

[elcato]

Revelut have your card pin under Cards but you need to access the app first. I wonder did they steal the phone while she was logged into the app and got the pin that way ? Most people I'd imagine, including moi, use the same pin for access to the app and the card though so Coyote's answer above is the most plausible.

 

[NoRegretsCoyote]

I would expect that what happened is that the RTE guy clicked the link in the text and filled out his online banking details in the scammers' website, thinking it was AIB.

I haven't been a customer for a few years but AIB used to ask only for three random digits of a six-digit password. Asking for the full password should have aroused some suspicion.

The banks get a lot of grief for this stuff from the public. Of course banks are heartless, profit-maximising organisations who will use every excuse not to compensate someone a customer who was defrauded. But in this case I see AIB refunding the customer after at least two occasions where he gave away information when he shouldn't have. I have no precise idea I would guess Irish banks' collective efforts in fraud prevention and detection involve hundreds of staff and tens of millions in annual expenditure. They aren't doing this out of charity - it's out of self interest!

The real gap here is with An Garda Siochána who are literally decades behind when it comes to targetting cyber crime. They are operating out of the 1950s when all nearly all theft was physical and the victim and the criminal usually lived locally. Therefore the local Garda station made sense as the locus of investigation. But cybercrime involves victim and perpetrator who are physically distant, often in different countries. The idea that your local garda has the slightest idea who the fraudster is or how to investigate is quite frankly ridiculous.

The victim in the story above was told to go to a nearby station and give a statement which will then manually go into a system and be analysed by some kind of central unit who are most likely utterly understaffed. There is no facility to report financial crime electronically and provide evidence via upload of documents, screenshots, suspicious phone numbers, logs of communication with phishers, bank statements, etc. AGS could make a quantum leap forward if it started collecting this kind of informationally systematically in a structured format. It would free up lots of staff from onerously and probably ineptly taking this information from people in Garda stations all over the country. They would be able to much more easily and quickly identify patterns of fraud and its likely sources, and target the fraudsters directly.

 

[MugsGame]

An RTÉ researcher had his bank account emptied last week, see article here. The article focusses on the fraudsters calling up to get him to insert his card into the reader and provide the code. This was to transfer a five-figure sum from his current account to the fraudsters' accounts.

What is completely glossed over is that this was the final step. The fraudsters had been moving funds from his deposit account to his current account for a few days previously. For this the fraudsters didn't need the card reader but must have already had his customer number, PIN, and telephone number. Again, what is more plausible: that someone hacked into the bank's systems or the customer divulged these details accidentally?

Well we know they had his name and telephone number. AIB online banking customer number is unfortunately based on date of birth.

I haven't been a customer for a few years but AIB used to ask only for three random digits of a six-digit password. Asking for the full password should have aroused some suspicion.

Most AIB online prompts currently ask for all 6 digits. I was a little shocked when they changed this; I'd love to see their threat model suggesting this is the better trade-off.

I'm not a fan of blaming the victim, partly because we need more people to talk about this in public. I'm surprised AIB are refunding fraud cases where the victim admits to sharing codes from a card reader. Institutions undoubtedly take a pragmatic approach to fraud when designing their processes and systems; a system impervious to abuse would be intolerable to use (of course I mean system in the wider sense; I'm not alleging a specific technical weakness in AIB's online banking).

A timely article: https://bam.kalzumeus.com/archive/optimal-amount-of-fraud/

 

[NoRegretsCoyote]

I'm not a fan of blaming the victim, partly because we need more people to talk about this in public.

I tend to agree. This kind of scam demands a much greater law enforcement response and I don't see this as vaguely a priority for AGS.

online banking customer number is unfortunately based on date of birth.

I'd forgotten about that! BoI usernames is at least somewhat random and they seem to still ask for three of the six digits as standard.

A timely article: https://bam.kalzumeus.com/archive/optimal-amount-of-fraud/

It's nice - I'd never seen it framed as such!

 

[ClubMan]

In spite of what people say, sometimes the victim IS to blame, to a greater or lesser extent. How many people use the same (usually weak) passwords, PINs etc. because they consider security to be a hassle? (It is, and for good reason). So one, possibly inconsequential, account gets hacked but that gives enough info for nefarious actors to gain access to others that are much more sensitive (banking, financial, shopping accounts). Then when they get hacked they cry that the businesses that operate those accounts should've done more when the individual themselves created the weakest link in the chain?

I've heard many anecdotal stories on BBC R4's consumer affairs programmes and in the vast majority of them the individuals affected did something dumb, often because they thought that they were smarter than the scammers and were going to waste their time. Invariably they and the programme makers claimed that somebody else should have protected them (from themselves).

 

[argolis]

Vast majority of the time, the victim is taken in one way or another, usually a phishing site or they read out the OTP to a scammer but I read that Twitter thread and some people contributed that several UK banking apps do allow you to view the current PIN:

View, unlock or change your PIN | Santander UK

You can view your PIN anytime in Mobile Banking. Read our step-by-step instructions or read on to find out how to unblock or change your PIN.

www.santander.co.uk

If you could nick someone's phone and they don't have a lock screen, maybe it's quite possible to run some software to crack the app and view the PIN. I'm not au fait with phone cracking, but it looks like even a lock screen can be bypassed easily enough:

https://www.imobie.com/support/how-to-bypass-android-lock-screen-without-reset.htm
Edited to add, I've seen some shoddy stuff from AIB from their mobile app. It's not too hard to believe that the Santander app has some shoddy security practices.

 

[ClubMan]

Yes, if people take basic, and not very technical, steps to improve the security of their own accounts etc. then they are less likely to be victims of hacking. But many people prefer convenience and insecurity and blaming the man if things go awry.

 

[NoRegretsCoyote]

If you could nick someone's phone and they don't have a lock screen, maybe it's quite possible to run some software to crack the app and view the PIN. I'm not au fait with phone cracking, but it looks like even a lock screen can be bypassed easily enough:

But presumably the app needs some or all of password, fingerprint, or facial recognition to log in. I can't access a banking app with my screen unlocked.

I am quite sure there are some experts out there who can exploit gaps in banks' security systems with no customer involvement needed. But I suspect they'd be thinking a bit bigger!

My guess is that people who raid lockers in changing rooms are more likely to have stumbled across an unlocked screen, someone who stores their PIN with their card, someone who uses their DOB as a PIN, etc.

Going on twitter or to the media can make you look like a fool, but it also makes it far more likely that the bank will refund you to avoid negative publicity no matter how big your stupidity. When you're down thousands it's well worth it.

 

[argolis]

To use the app, at least on Android, yes you'd presumably need password, fingerprint, etc.

But if I got someone's Android phone, brought it home and plugged it in via USB to my PC, I could make a reasonable stab at using tutorials on unlocking the phone first. Whether the application data is accessible using ADB utility software I'm less sure. But if that's doable and if that particular bank app was shoddy, the PIN might be kept somewhere unsecure in a cache or file. I'm not an Android expert but I can imagine there are plenty who might have the knowledge.

Would thieves have that knowledge? Perhaps or they could be script kiddies who've bought an illicit bit of PC software that does all those steps for them. I'm taking this woman at her word that someone got the PIN from the app by through no fault of hers and speculating how it was done.

You're definitely right that going on social media is much more likely to result in the bank refunding you. In this case, she seems quite genuine but as in a lot of things, she could be going hard on the "not my fault" there's no way to know for sure. There were some clear mistakes from the bank, like continuing to call the phone for verification after they'd been told it was stolen.

 

[NoRegretsCoyote]

Would thieves have that knowledge? Perhaps or they could be script kiddies who've bought an illicit bit of PC software that does all those steps for them. I'm taking this woman at her word that someone got the PIN from the app by through no fault of hers and speculating how it was done.

But the damage was all done by the time she'd discovered the stolen phone and called the bank. See the story:

Charlotte said she was told her card had been used to make about £8,000 worth of purchases from her current account, with goods bought from the Apple store at Westfield shopping centre in Shepherd's Bush, the Apple store in Regent Street, and Selfridges on Oxford Street - all within 90 minutes.

I'm not saying that the thieves didn't have a crack team of hackers sitting in a van outside the gym, or that this couldn't be done in theory. I just think that in this case (as with most) there was ineptitude on the part of the customer. The bank have also made an on-the-record claim that the app wasn't used to discover the PIN:

Santander apologised for initially "incorrectly declining her refund request and for the customer service she received", and it has paid her £750 in compensation. However, it said its "security logs" showed there had been "no compromise with our mobile banking app".

I believe the bank in this case.

 

[argolis]

Good point, didn't realise it was within 90 minutes. Makes it very unlikely so!

#imwiththebank